Wednesday, 5 August 2015

audi chorus - concert: how to recover password

what you need:

motorola cracker :

for serial connection I used cp2102 based adapter from ebay, it has wired RTS signal:

Software part is motorola cracker version 6.x (7 didn't work!!!). It has support for com port from 1 to 4, so change this in advance settings for your usb2UART adapter, then just boot MCU and read eeprom, here is a actual eeprom dump, with code 1790, you can see its on 3 places:

number in eeprom, directly after code (from my observation) can be:

06 - SAFE2 mode, you need to wait 1hour(info from here) to be able to enter pin
08 - SAFE1 mode, you can enter pin code to unlock
A0 - no code required

locked for 1 hour

no code required

standard SAFE mode

UPDATE: I have Motorola MCU with fixed volume problem, so I dump eeprom
of this MCU as it has fixed problem, it didn't store volume value in
eeprom and so this dump is "clean" of garbage. I try to load this dump
to one of affected MCU, just to test how long it take to have volume
issue back. For now it's looks ok.

EDIT: it didn't fix it radio volume is garbage at low temperatures, of corse. But I have to try :)

UPDATE: based on this blogpost: http://www.realitytech.co.uk/rich/?p=192

I try it, it's works kind of. communication was really unstable, but it works for reading eeprom directly after booting CPU, or write simple byte of data, in my case It take 3times to boot CPU and each time write simple byte (0xA0) on positions 3,33 and 63, to disable code protection.

!!1important note!!! you must connect only 12V and ground on main connector of radio, in my first attempts I have illumination connected to 12V and this because pin 22 go Low so my additional pull-up did not work.